Introduction to the JSON Spec Suite
Session Topic: JSON SPECS Suite & OpenID ABC (T1A)
Convener:Mike Jones
Notes-taker(s):Nat Sakimura
Tags for the session - technology discussed/ideas considered:
JSON, Signature, Encryption, Token, OpenID
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
Topics Today
Token: JWT
Signature: JWS Encryption: JWE / JSMS Key: JWK Simple Web Discovery (JWS) OAuth 2.0 spec OpenID AB/Connect
Some depends on others. e.g, OpenID ABC depends on all the above.
JWT
- Consolidated several spec proposals. - No canonicalization - Common sets of registry would be useful?
- Main Goal: JSON Representation for claims to support signature securely. - Schema? -- Binding specific.
JWS
- Algorithms: 3 HMACS, RSA, ECDSA. -- HS256 is mandatory.
JWE
- Again, several proposals, e.g., draft-rescorla-jsms. - Sitting down this week to come up with the JWS like spec.
JWK
- Not a replacement to X.509 but for the cases that requires just public key representation.
SWD
- Modular very simple disco spec. - OpenID ABC depends on it.
- No current draft to "push" content into discovery service.
OAuth
Currently, the followings are discussed in IETF.
- OAuth 2.0 Framework Spec.
- OAuth 2.0 Bearer Token Spec.
- SAML Grant OAuth 2 Profile
- JWT Grant OAuth 2 Profile (Private Draft)
- MAC Signature OAuth 2 Profile (Private Draft)
OpenID ABC
Spec are in three layers: Building Blocks, Protocol Bindings, Profiles.
- Goto OpenID blog. http://openid.net/2011/04/29/a-map-for-openid-abc/
- Open Spec Issues
-- Kinds of identifiers supported
-- Permissioning distributed attribute providers
-- Claims specification and integration
-- Trust metadata formtas and transport
-- OAuth 2 spec completion.
Q. Why so complex? A. Being modular does not mean complex. Being a single spec does not mean simple. Not everybody needs to reed crypto spec. Most should use libraries.